December 27, 2014

Bluehost Hacked this week

One of my clients was hacked today. Unfortunately, they are hosted at BlueHost, which is cheap but doesn’t seem to pay a lot of attention to security.

It turns out that many sites on Bluehost got hacked last week by someone installing malware which somehow involves “www.domainameat.cc”. It is easy enough to see if you are hacked. FTP a PHP file from your site and look at it. Does it start with “base64_decode” followed by a bunch of gobbledygook? If so, yep, you are hacked.

Here’s what I did to fix it, it took about 10 minutes:

  • Delete everything in the “public_html/.files” directory.  That’s a bunch of spam.
  • Delete every php file on the server
  • Upload all of them again, you do use version control, right?

Alternatively, you could try using the script from this site, which explains what is going on.

If you have a business site and use my support service, I’d already be doing this for you.  You would already have backups, and you would have version control. This would just be a blip on your day, followed by an email from us explaining what we did to recover.